I'm quite new here, and mainly moved from my previous host because they removed Let's Encrypt support(?!). An ongoing issue with their LE implementation I had was that renewal often failed --silently-- and next I'd know was a visitor or client emailing me that "your site is hacked, there's a warning and a yellow border around it". That is, the below may be just ramblings of the overly-worried; keep a pinch of salt at hand.
So, my previous webhost renewed (or tried to) the free 90days LE certificates 30days before expiry. Whenever that failed, there would not be a warning email to me as I'm not involved the management. Therefore I have a monthly cronjob (.sh) that consists of lines like
echo 'my.domain.name:'
echo | openssl s_client -connect my.domain.name.net:443 -servername my.domain.name 2>/dev/null | openssl x509 -noout -enddate
thus I have a monthly email summary where I easily spot which ones have failed. For those that had failed, I'd turn off "Use LE", save setting, turn on & save again; problem solved and new certificate online in minutes. All OK; I could edit the script to prettify by highlighting the problems etc, but at just two dozen it's fine as-is [... unless this call is unnecessarily resource-intensive; it's just a magic oneliner I found on a forum somewhere, I didn't find a recommended LE practice for non-admins].
Now, from this script I've concluded Opalstack renews 10days (not 30days) before expiry: I had 10 expiring Sept3 at various hours, one Sept4, one (late on) Sept5... You can see when I migrated =). Almost all of these recently renewed --- not the Sept5 one, which I expect to be renewed just before midnight tonight, but also not one of those ten expiring Sept3. So renewal must have --silently-- failed on that one I think.
- Is my conclusion about failure correct?
- If so, will there be a further check, that spots the ones that slipped through the net (like my one)?
- I'm guessing the same "turning it off and on again" as at my previous host will be the best remedy, to force any problem case instantly into the renewal queue?
- Is my "10days before end" a correct observation? That is, should I just make my cronjob/check 3x more frequent (and also prettify my script, because a frequent-and-practically-always-OK report inevitably has my lazy cursory glance glossing over any eventual error)?
The Opalstack Help on the topic is otherwise clear (and much more abundant than on other hosts I have), but doesn't answer the above.